#/bin/bash

GRN='\e[32m'
RED='\e[31m'
END='\e[0m'

echo ""
echo -e "${RED}Current network config: ${END}"
echo ""

ip a

echo ""
read -p "Please enter the interface on which you want to block all http(s) traffic except from BENELUX: " interface
echo ""
echo -e "${RED}Downloading country zones and creating ipsets${END}"
echo ""

wget -O be-aggregated.zone https://www.ipdeny.com/ipblocks/data/aggregated/be-aggregated.zone
ipset -N be hash:net -exist
for i in $(cat be-aggregated.zone); do ipset -q -A be $i; done
wget -O nl-aggregated.zone https://www.ipdeny.com/ipblocks/data/aggregated/nl-aggregated.zone
ipset -N nl hash:net -exist
for i in $(cat nl-aggregated.zone); do ipset -q -A nl $i; done
wget -O lu-aggregated.zone https://www.ipdeny.com/ipblocks/data/aggregated/lu-aggregated.zone
ipset -N lu hash:net -exist
for i in $(cat lu-aggregated.zone); do ipset -q -A lu $i; done

echo ""
echo -e "${RED}Creating iptables rules ${END}"
echo ""

iptables -I INPUT -p tcp -m set --match-set be src -j ACCEPT
iptables -I INPUT -p tcp -m set --match-set nl src -j ACCEPT
iptables -I INPUT -p tcp -m set --match-set lu src -j ACCEPT

iptables -A INPUT -i ${interface} -p tcp --match multiport --dports 80,443 -j DROP

echo ""
echo -e "${GRN}Current iptables: ${END}"
echo ""

iptables -nvL